On 25 June 2021, the Cyprus Securities and Exchange Commission (CySEC) released its directive on the crypto-assets service provider (CASP) register (CASP Directive) which forms subsidiary legislation issued under section 61E of the Cypriot Prevention and Suppression of Money Laundering Law 2007.
The CASP Directive sets out detailed requirements on entities seeking registration in CySEC’s CASP register, including the procedure for registration; organisational and operating requirements for CASPs; and application and ongoing licensing fees.
The CySEC CASP Directive has also clarified the conditions for the CASP registration. Key points of note include:
- The Board of Directors must consist of at least four individuals, of which two must direct the business activities of the CASP.
- Parties with close links should not be subject to laws which obstruct supervision by CySEC.
- The CASP must establish appropriate policies and procedures to ensure AML and related compliance.
- The capital adequacy requirements for CASPs depends on the type of service offered and volume of business undertaken.
- Staff should not be remunerated in a way that conflicts with its duty to act in the best interest of its customers.
- Any outsourcing must avoid substantially diminishing the quality of the internal controls of the CASP or the ability of CySEC to supervise the CASP with all its obligations.
- Where the scale and complexity of its activity requires it, the CASP should establish an internal control function that is independent from any other functions and activities, for planning and executing the internal control mechanisms.
- CASPs must have security measures in place to verify the authenticity of transmitting the information, minimise the risk of data destruction, prevent unauthorised access, and avoid information leaks to ensure the data remains confidential.
The CASP Directive has only been published in Greek and may be assessed here.
Our previous blog post on CASPs in Cyprus can be found here.